Yahoo's New Social Net Lets Users Tweak Each Other's Profiles

Taking aim at a younger and more fun-loving audience, Yahoo is testing a social networking site known as "Mash" that allows users to mess around with each other's profile pages. While it already has a social networking offering, Yahoo is reportedly trying to inject more fun into the equation. Mash also will offer more traditional social networking features such as photo and game modules.

Yahoo (Nasdaq: YHOO) is beta testing a new social networking site that, among other things, allows users to annoy their friends.

One of the unusual features of the new service -- currently called "Mash" and available by invitation only -- is the way it lets members fool around with other members' profile pages. In fact, according to a Yahoo blog about the site, people can take it upon themselves to create "starter profiles" for friends without them even knowing it.

While these types of shenanigans would certainly cause problems in the real world -- imagine somebody painting your house chartreuse without your approval -- Mash gives users the ability to accept or reject any profile changes made by their friends. It also allows them to bar anybody from messing around with a profile whatsoever.

A New Approach
Mash will be "a new approach to online profiles," said Will Aldrich, the head of the site development team. While he assured prospective Mashers that they'll find the site easy to understand if they've been involved with other online profile services, Aldrich said Yahoo's latest foray into the field includes "some new twists that make things a little interesting and, we think, a lot of fun."

Yahoo will be offering a "growing gallery" of modules, such as photos and games, which can be used by those owning a profile, or their friends, to customize the sites, he said.

Aldrich's blog is the only official acknowledgment by Yahoo that Mash exists. He is careful to warn those who get invited that the site is far from ready for prime time.

"One last note before you jump in: Mash is still pretty raw -- there are bugs and we haven't gotten to several of the features it really should have," wrote Aldrich.

He asked those who are experimenting with Mash to leave suggestions and comments on the blog site, in his Mash profile or on the Mash suggestion board. "We're listening," assured Aldrich.

More Fun than 360
Most of the comments posted in reaction to Aldrich's blog entry were requests for invitations. A number voiced concern that Yahoo would be abandoning its current social networking service, Yahoo 360. While Yahoo 360 is still up and running, Yahoo reportedly is unhappy about its level of success, and some observers suggest the service, while useful, just wasn't much fun.

Yahoo seems to be banking heavily on the fun aspect with Mash and it hopes the surprise factor of friends having access to each other's profiles -- Wikipedia fashion -- will be the spark. The New York Times (NYSE: NYT) labeled Mash "The Social Network for Graffiti Lovers."

Invitations to the network are likely to come from existing members who already created a Mash profile of the person they've invited, Aldrich explained.

"When a friend invites you, he or she can also add or edit different parts of your profile even before you get to view it," wrote Aldrich. "So even though you have never made or seen this profile, it is in fact yours. Until you decide to keep it, the profile created for you will not be visible to the Mash network, nor will you appear in the contacts of your friends."

Eyes of the Beholder
As anybody who's ever had their shrubbery covered with toilet paper on the night before Halloween can attest, good-natured teasing can often be perceived as annoying vandalism or worse. Gartner (NYSE: IT) Research Director Elroy Jopling is one person who wonders if the Mash idea will backfire for that reason.

"It's the old expression, 'It's not what you write, it's what people read. It's not what you say, it's what people hear,'" Jopling told TechNewsWorld. "Interestingly, when you get into that kind of social interacting, you may have your own interpretation of what you say, write or portray, but the person who sees it can have a totally different interpretation."

While the Mash idea is somewhat "dangerous" and leaves "a lot of room for abuse," Jopling said he believes it could succeed.

"It's so easy to come in on something like that, depending on what your age is," said the analyst. "More than likely, I'm older than the people who be doing that. My perspective is ... it would be kind of intrusive. But to the generation who may be doing it, it could be a different situation altogether."

The Young and the Goofy
Yahoo is in dire need of a social network, said IDC analyst Karsten Weide. The fact that Mash might be attractive to silly young people is a good thing, he said.

"I could see how that could be attractive to the prime target audience," Weide told TechNewsWorld. "We believe the trick to get a successful social network up is to really target youngsters. Then, later, you open the service to older demographics. We believe Yahoo direly needs a big social network. Yahoo 360 does have a lot of users but not a a whole lot of traffic , and the same goes for Windows Live Spaces."

Weide said IDC believes social networks "will be the key component of any Web-based service in the future because users increasingly expect any Web-based service to have social networking functionality."

Cyber-Crooks Ape Business Best Practices

Cyber-crime is a flourishing big business, and although the individuals driving its success may be keeping to the shadows, their handiwork is not. The latest malware tools causing headaches for legitimate businesses and users alike are the products of increasingly professional developers who offer such perks as regular updates and service agreements.

A software tool is released with a performance guarantee and the promise of periodic updates. Another commercial application for the market? Not quite. Rather, this is emblematic of how malware writers are doing business these days.

"We definitely see much of the illegal online activity becoming more professional and adopting behavior and practices you would see in a legitimate company," said Javier Santoyo, senior manager of emerging technologies for Symantec Security Response.

This insight into online criminal behavior is revealed in Symantec's (Nasdaq: SYMC) newly released Internet Security Threat Report. One of its main findings is that cyber-criminals are adopting commercial practices in the development, distribution and use of malicious code and services.


Quality Assurance and Service Agreements
"There is quality assurance testing on these tools, for example," Santoyo told TechNewsWorld. "Many are even providing services . . . like updating the application or tool every time a new exploit is discovered."

Such updates are the reverse of what consumers receive from their antivirus protection vendors -- that is, instead of updating the software to protect against an exploit, the malware virus writers update the application to exploit the vulnerability.

One example is MPack, a professionally developed toolkit that installs malicious code on thousands of computers around the world and then monitors the success of the attack through various metrics on its online password-protected control and management console, Symantec said.

Phishing toolkits have also become commercialized, with the top three most widely used phishing toolkits responsible for 42 percent of all phishing attacks detected during the reporting period, which ran from January to June 2007.

Attackers are also learning to adapt to the protective measures put in place by companies and consumers. Instead of trying to break through anti-malware defenses, Symantec found, they have been seeding malware on trusted sites that are widely visited, such as popular financial, social networking and career recruitment Web sites. Symantec said that 61 percent of all vulnerabilities disclosed were in Web applications.

Meeting a Need
These virus writers see themselves as providing a necessary service, Santoyo said. "They know that their tools will be used for illegal activities, but they see the end users -- the people who actually use their products -- as the real criminals."

Some of this insight was gathered through a series of interviews Symantec conducted with one of the hackers behind MPack. It is an occasional tactic the company uses to complement its own research on current malware trends, said Santoyo.

"They never give information that could reveal their identities or could help us thwart their activities," he noted. "Still, though, the interviews are invaluable in helping us keep a handle on what is happening."

Why Application Security Is Often Overlooked

Most IT and security professionals recognize the importance of the applications we support. We also realize that applications -- no matter whether they're Web based, client/server, or mainframe -- can have security flaws. However, when the rubber hits the road, many firms fall down when it comes to building and executing a strategy for application security.

It sounds tremendously obvious to say it this way, but applications are everywhere. Think about it -- your office suite, your e-mail reader, even the software you're using right now to read this -- these are just a fraction of the thousands (if not hundreds of thousands) of applications you use daily both personally and professionally.

For those of us in IT, we recognize that applications are critical to our business . If the right employees can't get access to the right applications at the right time, business stops. When you really boil it down, most of what we do in IT is about making sure that the applications in our firm stay up and available.

Given the complete reliance that our firms have on the applications that we use, we would assume that the discipline of application security -- i.e., validating those applications to be free from security-related flaws -- would be somewhere very near the top of the priority list for IT managers and security pros.

Unfortunately, that's too often not the case. There are some very real business dynamics that sometimes push application security down an IT manager's priority list. However, spending some time understanding why this happens (and what we can do about it) can be a very useful way to getting a leg up.


What Is Application Security?
Strictly speaking, application security -- as a discipline -- is any methodology designed to ensure that the applications in scope (for example, within a particular firm) adhere to and enforce the security requirements and policy of the environment in which they live.

This can mean a number of things. It can mean, for example, implementing strategies designed to minimize security flaws such as exploitable bugs. It can also mean taking on strategies designed to meet particular goals -- facilitating encryption of data when it is stored, for instance, or ensuring that data sent between components of the application is authenticated and free from tampering.

In other words, application security is concerned with both preventing unwanted events (like flaws in the code that an attacker can exploit) as well as ensuring desired events (like making sure confidential data is encrypted). This is true for both applications we build in-house as well as applications we buy off the shelf.

To satisfy application security goals, there are a number of approaches that we can use. Manual and automated approaches such as application vulnerability scanners or manual penetration testing attempt to scan the application and identify issues so that they can be fixed; source code analysis done either with automated tools or by developers trained to find common logic/programming errors attempt to parse the source code looking for mistakes.

In addition to this, educational programs targeted at making developers and implementers aware of coding errors and security policy so that the applications they write are designed and written with security in mind.

So Why Not Applications?
Most IT and security professionals recognize the importance of the applications we support. We also realize that applications -- no matter whether they're Web based, client/server, or mainframe -- can have security flaws.

However, when the rubber hits the road, many firms fall down when it comes to building and executing a strategy for application security. There are a number of reasons for this, but the primary problem is the diversity of application types and the complexity of the underlying technologies used to build them.

There are all sorts of applications out there (Web apps, legacy mainframe apps, client/server) built using any number of programming languages (Java, C/C++, Visual Basic, Perl). In order to address security within those applications in a comprehensive way, we need to understand both the way that the application stores and transmits data, and also the underlying language and technology used to build the application.

In other words, evaluating a Web app written in Java (for example using servlets) is a completely different exercise than evaluating a CICS application written in COBOL. For applications built in-house, finding and employing individuals with sufficient expertise in all of the platforms in scope is a pretty tall order. For applications we buy off the shelf, we may not even know (or want to know) everything about the underlying technology in use.

However, there are other complexities as well.

In a large enterprise, the number of apps and the interaction points between them can make for tremendous complexity. Each application may interact with dozens of others, and in most cases there is a veritable spiderweb of shared data and application interfaces, and a hodge-podge of legacy components, in play. It's difficult just trying to catalog the applications, let alone evaluate, prioritize and remedy potential security problems.

Smaller firms have different challenges. While there are likely to be fewer applications to worry about in a smaller firm, there is also correspondingly less money and fewer IT staff members. Within that context, hiring a specialized technologist with specific experience in application security may not be an option given budget and headcount.

What Can We Do?
No short article like this one can give you a full plan of action for how to approach application security in your firm. Putting together a complete strategy requires tremendous effort, thought, discussion and resources.

However, IT managers who understand why application security is sometimes overlooked (and what the challenges are) can employ some low-cost "biggest bang for the buck" strategies to get the ball rolling and give them a head start on moving security forward in the application space.

A Triage Unit
As IT managers, we know that we have limited time and resources -- and we need to choose carefully where to deploy resources. In order to do this, we need to be able to prioritize from the applications that exist in the environment.

Unfortunately, there may not be a central catalog or inventory of applications. There may be "stealth" applications "lost in the shuffle," and organizational changes (e.g., mergers) may make some applications hard to pin down.

The first step then, is finding out where the applications are, what they do, who owns them, and what their relative priority is. However, creating an inventory is expensive; therefore, look to "piggy-back" on work already being done to get the inventory.

Initiatives like Business Impact Assessment (done as part of Business Continuity Planning) or compliance-related planning (e.g. SOX/PCI audits) usually require getting a picture of the application landscape. Why not use that as a chance to get an inventory for application security as well?

Evangelize and Leverage
Use the resources and expertise within the firm and apply them to your agenda. For firms with a lot of in-house development, look to the development community to help you forward your application security goals. Train them in security policy so that they understand what goals are important to you and train them about common security flaws in application code.

By "deputizing" the development community, treating them as partners and giving them a role, you get both their attention (so they are less likely to introduce a security flaw in the first place) as well as the benefit of their expertise (so they are more likely to find, report and fix security issues in the software they maintain.)

For firms that have more commercial software and less in-house development, look to the integrators and support teams to help you identify potential issues. After all, nobody knows the applications better than the folks who work with them on a day-to-day basis. Explain to them what types of application security issues you're looking for. Perhaps they already know about a bunch of application security issues and can help you right off the bat; worst case scenario is they can keep their eyes open as they perform their daily jobs and alert you to issues that might crop up.

Google Ratchets Up Fight for Desktop With PowerPoint Rival

Google is amping up its pressure on Microsoft with Presentations, the latest addition to its suite of free, Web-based productivity applications. The tool, which provides functionality similar to that of PowerPoint, allows collaborators to work together on developing a slide show.


Google (Nasdaq: GOOG) has added the third leg to its online suite of office applications. The new addition, dubbed "Presentations," is analogous to Microsoft (Nasdaq: MSFT) PowerPoint. Now that Google has a full-fledged productivity suite, it has shortened its name from "Google Docs and Spreadsheet" to simply "Google Docs."

After logging in to access the suite, users will find presentation files listed alongside documents and spreadsheets in the Google Docs list. They can be edited, shared and published using the Google Docs interface.

As with the other Google applications, Presentations allows several collaborators to work on a slide deck simultaneously. When it's time to make a presentation, participants are connected through Google Talk to follow the slide show. The Presentations application is available in 25 languages.


Google incorporated the presentation, creation and document conversion technology it acquired from one of its many recent acquisitions -- Tonic Systems, which is based in San Francisco and Melbourne, Australia. Presentations' main selling point is its online accessibility, which is Google's specialty.

"We've already freed those of you working in teams from the burdens of version control and e-mail attachment overload when going back and forth on word processing and spreadsheets," Sam Schillace, engineering director, wrote in a blog posting in April, when news of the forthcoming Presentations was first announced.

"It just made sense to add presentations to the mix," he added. "After all, when you create slides, you're almost always going to share them. Now students, writers, teachers, organizers, and, well, just about everyone who uses a computer can look forward to having real-time, Web-based collaboration across even more common business document formats."

PowerPoint Killer?
Of course, it took little time after Google made its initial announcement for the market to speculate on the impact Presentations will have on Microsoft Office. The simple story line has been that Google is seeking to establish parity with Microsoft on the desktop with the development of its own office suite of productivity applications.

To a certain extent, Microsoft is feeling competition -- and not just from Google.

"It is interesting that Google makes its announcement the same week that IBM is expected to roll out its Symphony application suite," Charles King, principal with Pund-IT Research, told TechNewsWorld. "There is a growing number of Web-based or open source alternatives to Microsoft Office."

Smaller companies, in particular, are likely to be intrigued by the offerings, he continued. "If a company is using Office currently and looking out at the eventual cost of migrating not only to Office 2007 but also to Vista, the option of moving to a free or Web-based application like Google Docs can be appealing."

Limits to Enterprise Adoption
However, Microsoft Office's mainstay -- the enterprise -- is unlikely to be swayed by Google Docs, according to King. "I have trouble imagining the largest companies shifting to Google Docs, at least as it stands right now."

Google Docs is likely to play more of a supporting, or complementary, role in the enterprise, predicts Greg Sterling, principal of Sterling Research.

"There are certain preferred uses for the Google software -- the idea of one-to-many collaboration among them," he told TechNewsWorld. "Also, its resolution is very good, considering it is an online application."

It's unlikely that Google Docs will become a replacement for Microsoft Office on the desktop, in Sterling's view. However, some of the developers of niche meeting applications may have cause for worry.

"You can use Google Docs to run a conference call for instance," he said.

Another potential class of users may consist of people who are less than thrilled with the glitch-prone presentation software currently on the market.

"Personally, I'm ecstatic to hear that Google is considering a presentation addition, and I would be among the first in line to try it out," Chuck Sanchez, director of public relations for Haute PR, told TechNewsWorld.

"Prior to -- and often during -- every big meeting, there are technical difficulties that turn what should be a simple plug-and-play into a convoluted delay," he explained. Common mishaps include delays while searching for the correct plugin, finding a misplaced flash drive or locating the correct cord to connect a laptop to a projector.

"Allowing large presentations to live online means that they can be as portable as every respectable room with Internet access -- let alone a conference room," he said. "No one will be able to forget the disk or CD with their presentation, and if Google does things correctly, there shouldn't be the extreme delay of waiting to transfer, or even open, a huge Powerpoint presentation."

Great Linux Sites for Developers

Today's Linux developers are much better armed with a variety of support opportunities, noted HP's Bdale Garbee. They have access to project revision boards that open a whole new level of support not available to individual proprietary software developers, he explained. Ultimately, there is no reason a Linux developer should feel isolated and without help.


What's a poor, lonely Linux developer to do? Where are all the good support sites? How am I going to fix that troublesome bug?

These are questions that even novice code writers no longer have to ask. The classic view of a lonely, isolated programmer writing code for some obscure open source project in a back room is no longer an accurate view of the work environment in which Linux developers toil.

Open source programs have become so mainstream that the boundaries are blurring between proprietary, commercial and public domain software. Many software companies offer both open source and commercial versions of business-class programs.

"Open source communities have built amazing response systems to developers' needs," Bdale Garbee, chief technologist for open source and Linux at HP (NYSE: HPQ) , told LinuxInsider.

Many Sources
Support sites for Linux developers are extremely important, agreed William Hurley, chief architect of open source strategy for BMC Software. The only thing more important than support is documentation, he said, noting that documentation is often a weakness found in most open source projects.

"Most Linux developers use IRC (Internet relay chat) channels and mailing lists, both absolute musts if your company is trying to support Linux developers," Hurley told LinuxInsider.

Linux developers today do not suffer from a lack of support sites and collaborative outlets. In fact, code-writers have many alternatives to community-based Web sites.

For instance, there are LUGs (Linux User Groups), DevCamps, BarCamps, SuperHappyDevHouse, and countless local meet-ups where developers can mingle with like-minded individuals offline, in the real world, according to Hurley. These events also strengthen the local development community, which is integral to spreading the adoption and support of Linux and other open source projects, he said.

Better Support
Today's Linux developers are much better armed with a variety of support opportunities, noted Garbee. They have access to project revision boards that open a whole new level of support not available to individual proprietary software developers, he explained.

These additional support outlets include Web design forums and e-mail lists. Ultimately, there is no reason a Linux developer should feel isolated and without help.

"Very early in the process, Linux developers need access to wiki technology," Garbee said.

Proprietary Reversal
Linux developers do not face unique needs that isolate them from the information sources available to software developers for other platforms. Rather, suggests Hurley, it's the other way around. It's the proprietary developers who more often have unique needs.

"It's usually very easy to get an answer to an open source development question. Proprietary companies, on the other hand, charge for development programs and support. Also, proprietary developers are conditioned to think proprietary, i.e., they are more competitive and less willing to share knowledge or contribute freely. Open source developers have a mentality of cooperation. Communities share knowledge freely, even with competitors," Hurley said.

Support Directory
LinuxInsider asked industry experts to recommend some of the best support Web sites for Linux developers. Here is a list of the most popular suggestions:


Kernel.org One of the ultimate Linux developer goals is to gain access to a Kernel.org account. However, this Holy Grail for open source code writers is not easily achieved. Kernel.org does not grant account status unless the developer is making a reasonable amount of contributions to the Linux kernel and has a good reason for wanting and needing access. Those who feel qualified can plead their case for an account via the Web site's link to ftpadmin.

Kernel.org deals primarily with the Linux kernel and its various distributions and larger repositories of packages. It does not mirror individual projects and software. Even if Kernel.org grants a newcomer account status, the administrative team generally does not provide help in solving programming issues because of a lack of resources.

A better starting point is becoming involved with the Kernel Newbies Web site. This is a community of people actively involved with improving and updating their kernels and those of aspiring Linux kernel developers. Here, newcomers may find experienced developers more willing to share their knowledge.

Also check out the Linux Documentation Project.

The Apache Software Foundation Perhaps playing the role of Big Brother to individual Linux developers, The Apache Software Foundation provides support for the Apache community of open source software projects. Code writers involved in Apache projects are often keenly interested in collaborative exchanges and have a desire to create high-quality software that leads the way in its field.

The Apache.org community sees its role as extending beyond that of a traditional hoster of projects connected by a common server. It is a vibrant community of developers and users. However, newcomers need to approach the community with caution. Membership is reserved for those Linux developers who have demonstrated a commitment to collaborative open source software development through sustained participation and contributions within the Foundation's projects.


Sourceforge.net One of the newest open source developer help spots is Sourceforge.net, which offers support for a broad base of software categories. Code writers can find communities for clustering, database, desktop, development, enterprise, financial, games and hardware. Sourceforge.net also has community support for multimedia, networking, security and storage.

This past July, Sourceforge.net launched a Community Section with tools to help developers talk to Sourceforge leadership and other developers.

There you will find forums for discussing topics not directly related to particular software projects, a blog with posts from the Sourceforge.net regulars, and a calendar of upcoming events.


The Linux Foundation Another relative new group for Linux movers and shakers is The Linux Foundation (LF). LF is a nonprofit consortium founded earlier this year by the merger of the Open Source Development Labs and the Free Standards Group. Its leadership is bent on fostering the growth of Linux and is supported by a growing list of leading Linux and open source companies and software developers from around the world.

Linux code writers will find a base here for neutral collaboration forums that focus on helping companies and individuals work together to solve the challenges facing the Linux platform. The Linux Foundation Advisory Councils provide forums for end users, members, vendors and community developers to discuss shared issues, collaborate on projects of common interest and decide how best to direct resources in support of the development community.


Mozilla.org Here, Linux code writers can find all things related to Web site issues and the open source browser world. Mozilla.org can provide a wealth of community contacts for Linux developers working on projects that integrate with Mozilla projects such as the Firefox browser.

One handy information source is the Microsummaries. These are regularly-updated succinct compilations of the most important information on Web pages. Site and third-party developers provide them.

The Mozilla Development Center provides information on new developer features in Firefox 2 for application developers, XUL developers and extension developers.

Bush Wants Spy Law Changes Set in Stone

President Bush is urging Congress to renew the Protect America Act, which is set to expire Feb. 1, 2008. "The threat from Al-Qaeda is not going to expire in 135 days," Bush warned during a visit to the National Security Agency. "Unless the FISA reforms in the act are made permanent, our national security professionals will lose critical tools they need to protect our country," he said.

President Bush wants to renew and expand the controversial temporary surveillance legislation he rushed into law last month.

The law, also known as the "Protect America Act," updates the Foreign Intelligence Surveillance Act (FISA) by permitting warrantless surveillance of any targets located abroad, even if they are communicating with someone in the United States. Because of a sunset clause, the law is due to expire Feb. 1, 2008.

"The threat from Al-Qaeda is not going to expire in 135 days," Bush warned during a Wednesday visit to the National Security Agency (NSA) in Fort Meade, Md.

"Unless the FISA reforms in the act are made permanent, our national security professionals will lose critical tools they need to protect our country," he said. "Without these tools, it'll be harder to figure out what our enemies are doing to train, recruit and infiltrate operatives in our country. Without these tools our country will be much more vulnerable to attack."


'Liability Protection'
In addition to urging Congress to renew the current legislation, Bush also asked for additional measures he originally proposed last April that would protect companies that have come under fire for their role in government wiretapping programs. AT&T (NYSE: T) , for instance, is involved in a lawsuit brought by the Electronic Frontier Foundation for its assistance in the NSA's broad-scale wiretapping efforts.

"It's particularly important for Congress to provide meaningful liability protection to those companies now facing multibillion-dollar lawsuits only because they are believed to have assisted in efforts to defend our nation following the 9/11 attacks," Bush said. "Additionally, without this protection, state secrets could be revealed in connection with those lawsuits -- and our ability to protect our people would be weakened."

Many Democrats were uneasy with the legislation Bush forced through just before Congress's August recess, and the sunset clause was included in the law as a way to ensure that it would be revisited.

Civil liberties groups, meanwhile, continue to vociferously oppose it.

'A Terrible Message'
"Our view is that based on the information that has been made available to the public, the case has grown for better oversight and accountability for electronic surveillance efforts by the United States," Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC), told the E-Commerce Times.

"The critical issue people need to understand is that effective national security requires effective oversight of government activities," Rotenberg explained. Regarding the proposed liability protection for telecommunications firms, meanwhile, "it sends a terrible message for the administration to in effect suspend the privacy laws that protect the rights of Americans," he added.

National security and privacy protection for American citizens are not mutually exclusive, the Center for Democracy and Technology maintains.

"Congress can provide exactly what Mike McConnell, the Director of National Intelligence, says he needs while also including protections for the privacy of Americans, but the Protect America Act fails to do that," David McGuire, spokesperson for the Center for Democracy and Technology, told the E-Commerce Times.

Fear Tactics
"Our firm belief is that there is a way to enact a surveillance law that closes the technological loopholes that have been mentioned and makes it possible to engage in legitimate surveillance -- both on foreign suspects and, with appropriate court approval, American ones -- while also ensuring that ordinary Americans are not swept up in investigative dragnets," he said.

Bush concluded his speech at the NSA by emphasizing that "the decisions Congress makes will directly affect our ability to save American lives" -- an assertion the American Civil Liberties Union (ACLU) called nothing short of "fear-mongering."

"As part of the PR effort to gut the Foreign Intelligence Surveillance Act, the Bush Administration has pulled out every scare tactic in the book, including exaggeration and outright fibbing," said Caroline Fredrickson, director of the Washington legislative office of the ACLU.

"This goes hand-in-hand with the usual fear-mongering," she said, "all designed to get Congress to vote to suspend the Fourth Amendment rights of Americans."

Stress Reliever

Stress Reliever # 1

Wife: You always carry my photo in your handbag to the office. Why?

Hubby: When there is a problem, no matter how impossible, I look at your picture and the problem disappears.

Wife: You see, how miraculous and powerful I am for you?

Hubby: Yes, I see your picture and say to myself, "What other problem can there be greater than this one?"

Stress Reliever # 2

Girl: When we get married, I want to share all your worries, troubles and lighten your burden.

Boy: It's very kind of you, darling, But I don't have any worries or troubles.

Girl: Well that's because we aren't married yet.

Stress Reliever # 3

Son: Mom, when I was on the bus with Dad this morning, he told me to give up my seat to a lady.

Mom: Well, you have done the right thing.

Son: But mum, I was sitting on daddy's lap.

Stress Reliever # 4

A newly married man asked his wife, "Would you have married me if my father hadn't left me a fortune?"

"Honey," the woman replied sweetly, "I'd have married you NO MATTER WHO LEFT YOU A FORTUNE"

Stress Reliever # 5

Father to son after exam: "let me see your report card."

Son: "My friend just borrow! ed it. He wants to scare his parents."

Stress Reliever #6

Girl to her boyfriend: One kiss and I'll be yours forever.

The guy replies: Thanks for the warning.

Stress Reliever # 7

A wife asked her husband: "What do you like most in me - my pretty face or my sexy body?"

He looked at her from head to toe and replied: "I like your sense of humour.

Why Call Center Guys are paid so much?

People wonder why the the call centre guys are paid so much for just being on the phone. Take a look at some of the conversations between Technical Support executives and customers on phone.

Case 1

Tech Support: "I need you to right-click on the Open Desktop."
Customer: "Ok."

Tech Support: "Did you get a pop-up menu?"
Customer: "No."

Tech Support: "Ok. Right click again. Do you see a pop-up menu?"
Customer: "No."

Tech Support: "Ok, sir. Can you tell me what you have done up until this point?"
Customer: "Sure, you told me to write 'click' and I wrote 'click'."

Case 2

Customer: "I received the software update you sent, but I am still getting the same error message."
Tech Support: "Did you install the update?"

Customer: "No. Oh, am I supposed to install it to get it to work?"

Case 3

Customer : "I'm having trouble installing Microsoft Word."
Tech Support: "Tell me what you've done."

Customer: "I typed 'A: SETUP'."
Tech Support: "Ma'am, remove the disk and tell me what it says."

Customer: "It says '[PC manufacturer] Restore and Recovery disk'."
Tech Support: "Insert the MS Word setup disk."

Customer: "What?"
Tech Support: "Did you buy MS word?"

Customer: "No..."

Case 4

Customer: "Do I need a computer to use your software?"
Tech Support: ?!%#$(welll pretend to smile)

Case 5

Tech Support: "Ok, in the bottom left hand side of the screen, canyou see the 'OK' button displayed?"
Customer: "Wow. How can you see my screen from there?"

Tech support: ##### ***

Case 6

Tech Support : "What type of computer do you have?"
Customer: "A white one."
Tech support : ******_____####

Case 7

Tech Support: "What operating system are you running?"
Customer: "Pentium."

Tech support: ////-----+++

Case 8

Customer: "My computer's telling me Iperformed an illegal abortion."
Tech support: ??????

Case 9

Customer: "I have Microsoft Exploder."
Tech Support : ?!%#$

Case 10

Customer: "How do I print my voicemail?"
Tech support: ??????

Case 11

Customer: "You've got to fix my computer. I urgently need to print document, but the computer won't boot properly."
Tech Support: "What does it say?"

Customer: "Something about an error and non-system disk."
Tech Support: "Look at your machine. Is there a floppy inside?"

Customer: "No, but there's a sticker saying there's an Intel inside."

Tech support: @@@@@

Case 12

Tech Support: "Just call us back if there's a problem. We're open 24 hours."
Customer: "Is that Eastern time?"

Case 13

Tech Support: "What does the screen say now?"
Customer: "It says, 'Hit ENTER when ready'."

Tech Support: "Well?"
Customer: "How do I know when it's ready?"

Tech support: *** ---- ++++

The Best of the Lot

Case 14

A plain computer illiterate guy rings tech support to report that his computer is faulty.

Tech: What's the problem?
User: There is smoke coming out of the power supply.

Tech:(keeps quite for moment)

Tech: You'll need a new power supply.
User: No, I don't! I just need to change the startup files.

Tech: Sir, the power supply is faulty. You'll need to replace it.
User: No way! Someone told me that I just needed to change the startup and it will fix the problem! All I need is for you to tell me the command.

Tech support: 10 minutes later, the User is still adamant that he is right. The tech is frustrated and fed up.
Tech support:(hush hush)

Tech: Sorry, Sir. We don't normally tell ourcustomers this, but there is an undocumented DOS command that will fix the problem.
User: I knew it!

Tech: Just add the line LOAD NOSMOKE.COM at the end of the CONFIG.SYS. Let me know how it goes.

10 minutes later.

User: It didn't work. The power supply is still smoking.
Tech: Well, what version of DOS are you using?

User: MS-DOS 6.22.
Tech: That's your problem there. That version of DOS didn't come with NOSMOKE. Contact Microsoft and ask them for a patch that will give you the file. Let me know how it goes.

1 hour later.

User: I need a new power supply.
Tech support: How did you come to that conclusion?

Tech support : (hush hush)

User: Well, I rang Microsoft and told him about what you said, and he started asking questions about the make of power supply.
Tech: Then what did he say?

User: He told me that my power supply isn't compatible with NOSMOKE.

Height of All (Too Good)

Case 15

Customer care officer : I need a product identification number right now and may I help you in finding it out?
Custtomer: Sure

Customer Care Officer: Can you left click on start and do you find 'My Computer'?
Customer: I did left click but how the hell do I find your computer?

Types of Computer Women

Virus Woman
She installs in your apartment and play the boss. If you try to uninstall, you loose some stuff. If you don't, you'll loose everything.

Internet Woman
You have to pay to have access.

Server Woman
Always busy when you want her.

Windows Woman
You know that she have many bugs, but you can't live without her.

Macintosh Woman
Attractive, almost perfect, costs more money, but not so compatible with others. Only 5% of men have the pleasure to get her.

PowerPoint Woman
She’s ideal for party presentations, business meals, etc.

Excel Woman
They said that she knows many things, but you have her only for basic things.

Word Woman
Always she waits you with surprises and there is nobody can understand her.

DOS Woman
Everybody has her once, but nobody wants her now.

Backup Woman
You think that she have enough, but when you want to try her, she's missing something.

Scandisk Woman
We know that she's good and willing to help you, but she really dosen't know anything.

Screensaver Woman
Useful for nothing, but she amuse you.

Paintbrush Woman
She's all makeup, but nothing in rest.

Harddisk Woman
She knows anything, all the time.

User Woman
She doesn’t make anything good and always ask you something.

E-mail Woman
From 10 sentences she talks, 9 are bullshit.

Silly & Funny Interview Questions

Story I

Employer: Do you have a boyfriend?
Candidate: I have.
Employer: Is he working locally?
Candidate: No. He is working Overseas.
Employer: Sorry, my company cannot employ you!
Candidate: Why?
Employer: You will not be able to settle down here permanently. And my company doesn’t want to pay extra expenses on the overseas calls just because of you.

Story II

Employer: Any girl friends?
Candidate: No.
Employer: So far chased any before?
Candidate: Have, but not successful.
Employer: Ever think of getting a job first then start looking for a girlfriend?
Candidate: Career is first priority. Currently didn't want to consider this personal issue.
Employer: Sorry, my company cannot employ you.
Candidate: Why?
Employer: You are lacking of public relation skills and confidence!!

Story III

Employer: Any girlfriends?
Candidate: Yes.
Employer: Is she pretty?
Candidate: Not quite.
Employer: Sorry, my company cannot employ you.
Candidate: Why? Will this affect your company's reputation?
Employer: No, it does not affect the company's reputation but because my company is dealing with arts, our company requested an artist.

Story IV

Employer: Any girlfriends?
Candidate: Yes.
Employer: Is she pretty?
Candidate: yes
Employer: Is she your first lover?
Candidate: Yes.
Employer: Sorry, we can't employ you because you lack of fighting spirit.

Story V

Employer: Any girlfriends?
Candidate: Yes.
Employer: Is she your first lover?
Candidate: No. Have a few already.
Employer: Sorry, my company cannot employ you because you are a "grasshopper"! (Job hoper!)

Story VI

Employer: Any boyfriends?
Candidate: Yes.
Employer: Is he rich?
Candidate: No.
Employer: Then sorry, my company cannot employ you because our Company is dealing with money and you will seduce.

Story VII

Employer: Any boyfriends?
Candidate: Yes.
Employer: Is he rich?
Candidate: Yes, very rich. He owns a company.
Employer: Sorry, we cannot employ you because your boyfriend don't even want to employ you, neither do we!
Candidate: But, there is no position in his company.
Employer: Then, what is your qualification?
Candidate: Secretary!
Employer: Sorry, we still cannot employ you because your prettiness will affect your managers' working spirits.
Candidate: But, I am not pretty at all.
Employer: It is even worse because my managers will not be interested in you!!

Craziest Interviews

Interview 1

Interviewer: If we give you a module which consists of new technology, how will you proceed with it?
My answer: I will first understand the module and learns the technology and develops the code after doing design ASAP.

Interviewer: What will you do if we give you one day for doing all this?
My answer: I will do it one day.

Interviewer: What will you do if you are not able to complete in one day?
My answer: If the work is not getting completed after end of the day, I will request for some more time.

Interviewer: What if we insist you to complete it on the same day?
My answer: I will spend 24 hrs and complete it. I am ready to cook food at office and work as if I am working in call center. (I am getting irritation at this point).

Interviewer: What will you do if no documentation is available for this new technology?
My answer: I will ask for knowledge transfer from my seniors.

Interviewer: What will you do if no one had worked on this technology before?
My answer: I will request for some more time to acquire knowledge and complete the work.

Interviewer: What if we force you to complete the work in one day without documentation, support?
My answer: If you can at least give me a computer to do things, I know how to do it without documentation, support and time.

Is it really worth asking this kind of questions? What a person can do if he needs to work on new technology, with no documentation, no support and no time? I am not God, of course, I am developer. Am I wrong with my answers?

Interview 2

Interviewer: If we give you a module which consists of new technology, how will you proceed with it?
My answer: Learn technology on the fly..(as is expected from today’s IT professionals) as soon as possible and understand the module. If possible I would like to get trained in that technology if training provided by company.

Interviewer: What will you do if we give you one day for doing all this?
My answer: I will estimate the ETC(Estimated time of completion) and if I think the time given is less than my estimated time I will inform you and try and extend the ETC.

Interviewer: What will you do if you are not able to complete in one day?
My answer: My first priority to complete the task with in the ETC if I am not able to complete within that time my attemp would be to get it done ASAP without further extending the ETC any longer. Also I would inform about this extended ETC to the concerned authority I am reporting to.

Interviewer: What if we insist you to complete it on the same day?
My answer: To be honest if I am not able to deliver on time I would prefer to inform you in advance that the expected time of completion does not match with my estimated ETC rather than accepting do deliver and later failing to do so.

Interviewer: What will you do if no documentation is available for this new technology?
My answer: Now this is a stupid question. A new technology with no documentation?

Interviewer: What will you do if no one had worked on this technology before?
My answer: Take it as a good learning experience and I think it is always good to work on the latest technology.

Interviewer: What if we force you to complete the work in one day without documentation, support?
My answer: I will try my best given all above facts!

Interview 3

Interviewer: If we give you a module which consists of new technology, how will you proceed with it?
My answer: I'll review the requirements for the module, learn the technology and then confirm that it's the correct technology for job. Very often new technology is overused because it's "cool" even when not appropriate, this called the "new buzzsaw" problem, somewhat akin to the "golden hammer" problem.

Interviewer: What will you do if we give you one day for doing all this?
My answer: Hope that it takes a day to complete. I'll provide an estimate at the start and if I think it will be longer than one day, I'll let you know.

Interviewer: What will you do if you are not able to complete in one day?
My answer: If it's because I'm incapable of completing it in one day but believe that some else could, likely sometime in the early afternoon I'll realize this and ask for help. If it's not realistic for anyone to complete it in one day, then I will raise the concern along with my estimate.

Interviewer: What if we insist you to complete it on the same day?
My answer: There is a principle called the engineering triangle consisting of time, resources, and scope. You can pick any two. Here you are trying to contrain all three and that is not realistic. I would address the issue of constraints with the appropriate party.

Interviewer: What will you do if no documentation is available for this new technology?
My answer: Seek out information, from the web, or from others both inside the company and out. I would also raise a concern about using undocumented technology.

Interviewer: What will you do if you can't find any information on this technology? (Note: I changed the wording to be equivalently responsive to my prior answer.)
My answer: I will seriously question the desire to use the technology in light of this limitation. If we must, then I will make sure we include learning time in the estimate. I will also look for other ways to reduce risk in the project to trade-off the increased technology risk.

Interviewer: What if we force you to complete the work in one day without documentation, support?
My answer: I'd probably deliver a substandard product and would quit over my frustration with the incompetent management.

Interview 4

Interviewer:What if i ask you to work on new technology?
Me:It will be nice to have exposure to new technology.(I will have another thing to brag about in my resume.)

Interviewer:What if there is not any support/documentation?
Me:I can still do it. In my previous project i was working alone(Because nobody was able to understand what i said, and i was not able to interpret what was written in documentation).

Interviewer:What if there is only 24 Hr time?
Me: So what? I can still deliver it.(Then it will be your headache to listen to client's complains) You see, the mighty aussies, after 5 back to back defeats, they are going to World Cup without any time to improve.

Interviewer:What???? They lost the last match also???
Me: Not yet..Game is in progress.. Its a close match.Can go either way.

Interviewer:My God!!! What has happened to ausies?
Me: Dunno..may be they were getting bored of winning every time.

Interviewer:So what's the score?
Me: last 5 overs remaining New Zealand need 40 runs ..blah blah blah..

Interviewer:Which site do you see the live scorecard?
Me: espnstar.com

Interviewer: Damn ... espnstar.com is blocked in my office. Cant even track the score once i am in the office.
Me:What espnstar.com is blocked in your office? Damn!!! I guess we should end here.

Interviewer: Ya you wont like in here. By the way is there any position open with your current employer?
Me: Ohh yes...why not they are looking for.....blah blah blah... Ok so tell me what would you do if your manager gives you unrealistic deadlines, no support, non-sufficient resources etc etc....

Interviewer:Ummm.. thats a real tricky one...

Google's Press for Global Privacy Fans Flames

GOOGLE CALLED FOR A SET of global standards for protecting consumer Web privacy at a recent United Nations Educational, Scientific and Cultural Organization (UNESCO) ethics conference. Although privacy counsel Peter Fleischer pegged the move as part of Google's job as an Internet leader "to show some leadership and be constructive," insiders say it's a thinly veiled attempt to get ahead of the privacy woes that have dogged its pending DoubleClick buy.


"It's clear that this is motivated in part to dampen the growing opposition to the DoubleClick takeover," said Jeff Chester, executive director of the Center for Digital Democracy (CDD). "Google is attempting to head off a global regulatory digital train wreck."

In the U.S., the FTC is investigating the $3.1 billion acquisition from an anti-competitive standpoint, but concerns about Google's search data collection and retention policies (and melding them with DoubleClick's) have also factored into the scrutiny.

Meanwhile, in July, pressures from the EU led the search giant to scale back the length of time it would retain user data (from indefinitely to no longer than 18 months), although European regulators now have their eyes on the DoubleClick deal as well.

CDD is scheduled to participate in already scheduled press briefing today on "Google, Online Advertising, and Privacy" along with representatives from the U.S. Public Interest Research Group and Electronic Privacy Information Center (EPIC).

"Google is under enormous pressure from many countries around the world who are fed up with their arrogance and their unwillingness to make meaningful changes to their business practices," said Marc Rotenberg, executive director of EPIC. "They are also trying desperately to push the acquisition of DoubleClick through the Federal Trade Commission. And they've met enormous resistance."

Fleischer addressed the criticism directly, at a press conference (in Strasbourg, where the UNESCO meeting was held), saying: "By supporting global privacy standards, there will be a debate and part of that debate will be what our motives are." He added that Google would be pushing for the standards "regardless of whether DoubleClick were part of the equation or not." He also added that CEO Eric Schmidt would be publicly underscoring the company's stance on user privacy and protection some time in the future.

Nonetheless, the conference provided an International forum for Google to reinforce its 'don't be evil' mantra--and the search giant did it by endorsing a set of privacy standards established by the Asia-Pacific Economic Cooperation (APEC).

The APEC Privacy Framework focuses on "preventing harm" to users--by emphasizing security safeguards and imposing limitations on how much personal information can be collected. Google acknowledged that the APEC standards are only a starting point--as they were drafted and approved by 21 members of APEC in 2004, and need to be adapted for global use and acceptance three years later.

Fleischer added: "It is absolutely imperative that these standards are aligned to today's commercial realities and political needs, but they must also reflect technological realities."

Critics argued that the search giant gave no specifics for how to move forward with a global implementation--calling it another sign that the endorsement was just Google posturing for the FTC.

"Mr. Fleisher is lobbying to get a privacy Band-aid placed over an ever-growing flow of personal data being squeezed from consumers (by Google and others)," said Chester.

According to Jonah Stein, Web privacy expert and senior SEM director, Alchemist Media, the search giant has a vested interest in helping to establish International privacy standards that goes beyond the DoubleClick deal.

"Google certainly wants to make sure the deal goes through with the FTC, but we do need global standards, and they are a global player," said Stein. "When you look at the EU and some of the other legal entities they have to deal with, it's not unreasonable for them to try to find an international standard that everyone else can agree on."

Stein also said that the move should not have come as a surprise. What may be less surprising is that even in the midst of this announcement, the search giant was facing government and media scrutiny in Canada--with speculation as to whether Google's Street View map feature will violate Canadian privacy laws.

The feature that shows still video footage of locations when users click on map markers has not gone live in Canada yet, but caused skeptics to wave the privacy flag in the U.S. when the shots were found to contain glimpses of pedestrians' faces in detail.

Criminals target trusted websites

Canada ranks second worldwide as top source of malicious Internet activity

Trusted websites have become the patient zero for some viral epidemics in the virtual world with sophisticated cyber-criminals using them to lure unsuspecting computer users into spreading their malicious code.

And Canada is a key global player in the dark side of the Internet, now ranking second worldwide after Israel as the top source of malicious Internet activity.

These are among the findings of Symantec's Internet Security Threat Report Trends for the first six months of this year, released today.

"The Web is becoming patient zero for infections and we are now faced with situations where even the guys you would normally trust have an issue," said Dean Turner, director of Symantec's global intelligence networks. "The Web has really become the focal point.

"Instead of the bad guys going to you, you are going to them."

The threat comes from the increasing number of trusted websites being hacked by the professional criminals who have sophisticated commercial tools that allow them to operate vast networks of infected computers.

Even government websites are not immune from the hackers.

"What we found was that governments are the targets and the victims of the same thing as enterprises are when it comes to hosting phishing sites," said Turner.

Phishing is a technique used by cyber-criminals to acquire sensitive personal data such as credit- card and banking information.

Turner said 23 per cent of all government websites hosting phishing sites were on government domains in Thailand. And the study found that four per cent of all malicious activity detected during the first six month of 2007 originated from Internet Protocol space registered with Fortune 100 companies.

"Fortune 100 companies control seven per cent of all IP space worldwide, so it is pretty significant when we see that activity coming from the Fortune 100 - that's a lot of IP space."

Turner said that figure is likely explained by criminals capitalizing on the unused IP space of the companies.

"The bad guys know," he said. "If they are looking for activity on this IP space and they are not seeing any, they know it is fertile ground."

Turner said Canadians spend the most time online of any computer users in the world, a trend he said could explain this country's high ranking in malicious Internet activity.

Among other findings of the report:

- Bot networks, networks of infected computers that are controlled by criminals, have a lifespan of 19 days in Canada, the longest lifespan of bot networks anywhere in the world.

- The U.S. was the target of the most denial of service (DOS) attacks, accounting for 61 per cent of all such attacks worldwide in the first half of this year.

- The U.S. also was the top country of origin for attack, accounting for 25 per cent of all global attacks.

- The education sector topped all sectors for data breaches that could lead to identity theft, accounting for 30 per cent of all such data breaches over the first six months of 2007.

- The theft or loss of computer or other data-storage medium made up 46 percent of all data breaches that could lead to identity theft in the first half of this year.

- Credit cards, at 22 per cent of all items, were the most common commodity listed in the underground economy and 85 per cent of the cards being sold were issued by banks in the U.S.

Verizon Sues To Block Open Access to Spectrum

With Verizon suing to block the open-access rules -- a move that Google has called "regrettable" -- industry observers are beginning to weigh in on whether the spectrum auction will take place on schedule. Philip Verveer, a Washington attorney specializing in the wireless industry, said Verizon faces a difficult time in trying to undo the FCC rules.

Verizon threw a wrench in plans for a quiet run-up to the Federal Communication Commission's January auction of the valuable 700-MHz spectrum. The telecom company filed a petition with a court of appeals to overturn the FCC's decision to attach open-access rules to part of the spectrum.

The filing does not state any specific grounds for review, asserting merely that the FCC's rulemaking exceeds its authority under the Communications Act, the Constitution, and the Administrative Procedure Act, and is "arbitrary, capricious [and] unsupported by substantial evidence."

In July, the FCC passed a plan for the auction that imposes open-access rules on the so-called "C" block of the spectrum, encompassing roughly a third of the spectrum to be auctioned. Under the rules, the C block spectrum must be open to all devices and applications.

Google Calls Action 'Regrettable'

Google, which had pressed for even greater rules for open access, has announced its intention to bid in the auction. Bidding starts at $4.5 billion and the winning bid is expected to wind up over $9 billion.

Writing on a Google blog, Chris Sacca, head of special initiatives, wrote, "The nation's spectrum airwaves are not the birthright of any one company. They are a unique and valuable public resource that belong to all Americans." Sacca went on to say that it is "regrettable" that Verizon has decided to use the court system "to try to prevent consumers from having any choice of innovative services."

Google might not have that much to worry about. Verizon faces a "very difficult" time in trying to undo rules the FCC has promulgated, Philip Verveer, a partner with the law firm of Willkie, Farr & Gallagher in Washington DC, said in a telephone interview. As an antitrust lawyer for the Justice Department, Verveer was instrumental in the breakup of the old AT&T.

"Agency action goes to appellate court with the presumption that the agency is correct," he explained. In addition, courts tend to defer to executive agencies in technical matters. "This matter is one where the FCC's discretion under the statute is very broad. Any appeal of agency action is going to have a very difficult time," he said.

Spectrum Auction Delay Unlikely

Because of the statutory requirement for the start of the auction, "it's going to be very difficult to convince the court of appeals" to delay the auction, Verveer added. To make matters worse for Verizon, "the more technical the rulemaking, the harder it is" to get it overturned, he said.

Verveer noted that Verizon has not yet tipped its hat as to its legal arguments. "As a practical matter, they may be trying to have a place at the table," he said. It's possible that the Frontline group, led by former FCC Chair Reed Hunt, would also appeal the FCC rules, arguing that the FCC "didn't go far enough." By appealing now, Verizon might be positioning itself to balance those arguments with the claim that the FCC went too far, Verveer said.

Verizon's next step will likely to be to ask the FCC to reconsider its decision and stay the start of the auction. The agency "almost never grants" such requests, Verveer said. Verizon would likely reveal its legal theories at this reconsideration stage.

Could all of this set back the scheduled start of the auction on January 16? "The FCC is going to be extraordinarily reluctant to let this affect the timeline," Verveer said. "Unless Verizon has a legal point that creates tremendous anxiety at the FCC, it will continue on its timetable."

Microsoft Escapes Patch Tuesday Drama

There were only four fixes released on Patch Tuesday, but the updates affect several types of users, especially because of the Messenger fix. "Since instant messaging software is installed by home users as well as corporate users, it affects everyone," noted Amol Sarwate, manager of the Vulnerability Research Lab at Qualys.

After its fair share of zero-day vulnerabilities and scores of patches over the past few quarters, Microsoft 's September Patch Tuesday might seem uneventful for I.T. admins. Still, there is some work to do this month with four patches in the hopper.
One critical patch fixes a bug in Windows Server 2000 that potentially allows a hacker to take control of a victim's computer from a remote location. Another security bulletin, rated important, describes a vulnerability for Windows Services for Unix and the subsystem for Unix-based applications. The second important patch affects Microsoft Visual Studio, while the third important update fixes a flaw that affects MSN Messenger and Windows Live Messenger.

"Users of Windows Server 2000 Service Pack 4 should be paying most attention to Microsoft's patches," said Dave Marcus, security research and communications manager at McAfee Avert Labs. "However, we don't foresee a lot of exploitation of the Windows 2000 vulnerability. Not many people will use those legacy systems to surf the Web, which would be the primary attack vector."

Messaging Clients Targeted

Viruses spread through instant messaging are seeing a lot of press lately. Skype suffered highly publicized attacks this week, and now Microsoft is trying to avoid the same storyline by patching a vulnerability its messaging client. According to Andrew Storms, director of Security Operations for nCircle, the Messenger fix, which patches a remote code execution bug in the video chat functionality of the messaging client, is the most interesting update this month.

"This exploit was first announced several weeks ago and Microsoft moved very quickly to get this fix out. I'm sure this is because of the recent flush of exploits that target IM clients," Storms said. "We have seen two bugs in Yahoo Messenger, one of which was almost identical to this MSN Messenger chat vulnerability. IM clients are the hot, new vector for exploits and this trend will definitely continue for the foreseeable future."

The remaining patches affect "power users," or users with administrator or developer roles, including the one critical vulnerability described in security bulletin MS07-051. Specifically, this patch affects a Microsoft agent that displays animated characters, such as "Clippy," the Microsoft Office talking paperclip.

"While critical, it is important to note that it only affects Windows 2000 Service Pack 4 users, not those running Windows 2003, XP, or Vista operating systems," noted Amol Sarwate, manager of the Vulnerability Research Lab at Qualys. "If vulnerable, there is the potential for remote code execution under a Web-based attack scenario."

Broad Set of Users Affected

The remaining two vulnerabilities are labeled important by Microsoft. Security Bulletin MS07-053 describes a Windows services update that affects advanced users who integrate Windows with Unix. This update is designed to fix a zero-day exploit made public last month.

MS07-052, meanwhile, affects Crystal reports .RPT files. If advanced users and developers browse to a malicious Web site or open an .RPT file sent as an e-mail attachment, it could open the door to an attack.

Even though there were only four fixes altogether, September's Patch Tuesday affects several different types of users, especially because of the Messenger update. "Since instant messaging software is installed by home users as well as corporate users, it affects everyone, while the remaining patches address systems and applications used by administrators and developers," Sarwate said.

Google Files Patent Application for Mobile Payments

In what could be described as Google taking a page straight out of the PayPal playbook, Google filed for a patent that describes a mobile commerce system that is similar to existing mobile payment systems, including the mobile version of PayPal. The patent application is leading to renewed speculation about Google's wireless ambitions.


Someday, "to gpay" might mean making a payment using a text message over a mobile device. That's the form of e-commerce for which Google has filed a patent, in which the terms "gpay" and "gbuy" are used.
The application is leading to renewed speculation that Google has its sights set on a more active role in the mobile-device marketplace.

First filed in February of 2006, patent application number 20070203836 was published late last week. "The payment process may occur through the simple composition by the payor of a text message," such as a short message service (SMS), the application stated, with payee identification and payment amount then sent to a payment processing system" for debiting, crediting, or transferring funds.

Road Side Fruits and Vegetables

Some indications of Google's intended markets might be gleaned from several scenarios presented in the application.

In one scenario, at a farmer's market or a flea market, individual or family vendors sell low-priced products and typically only take cash. But such vendors are "also likely to have a cellular telephone or similar mobile device," Google's application noted, and, if given a preference, might prefer not to deal only with cash.

Instead of using cash, Google envisioned, both the fruit seller and the buyer use their mobile devices. The vendor would have an account with an online payment service and an identifier, such as a phone number or a screen name like "veggiegirl." The buyer can enter the vendor's identifier and the amount to be paid, and the vendor receives confirmation on her mobile device.

If the vendor feels the buyer is trying to "spoof" the system, the vendor can log on to the online payment system through her own device and confirm the transfer of funds. Google noted that the online payment system might be able to handle micropayments, and have attached bank, credit, or debit accounts.

Lucy, Mowing Service, Thirsty Student

Another possible scenario mentioned is an entrepreneurial "young lady," with apparent references to Lucy in the Peanuts comic strip, who offers psychiatric help at a street stand for a nickel per session. She might use the mobile device to organize and analyze her finances, as well as receive payments. And she might post two identifiers, so as to separate sales that require taxes and those that do not -- in effect, two cash registers.

In other scenarios, Google suggested the payment system might have an escrow feature. This could be handy, the application stated, if a young person's mowing service can be hired by a homeowner who might be wary of the quality of work and might want to present payment, but hold back delivery until the job is satisfactorily completed.

Other suggested scenarios include a "thirsty college student" paying at a soda vending machine, or a community honor system, where a mobile payment system relieves a worker of monitoring occasional transactions at, say, a community stamp box.

Feds: Iceman Was Internet ID Thief

According to a criminal complaint unsealed this week, one person told investigators he received tens of thousands of credit cards from Max Ray Butler. In the affidavit, federal agents said Butler used the aliases "Iceman," "Aphex," "Darkest" and "Digits" on his forum and when hacking into financial institutions.


A man who used the Internet alias "Iceman" stole credit card and identity information from tens of thousands of people by hacking into the computers of financial institutions and credit card processing centers, federal authorities said Tuesday.
Max Ray Butler, 35, of San Francisco, was indicted by a federal grand jury in Pittsburgh on three counts of wire fraud and two counts of transferring stolen identity information. He could face up to 40 years in prison and a $1.5 million fine if convicted on all charges.

Butler was charged in Pittsburgh because he sold more than 100 credit card numbers and related information to a Pennsylvanian who is cooperating with the investigation, said Margaret Philbin, spokeswoman for U.S. Attorney Mary Beth Buchanan of Pittsburgh.

Authorities said Butler also operated a Web site that served as an online forum for people who steal, share or use others' credit card information illegally in a practice known as "carding."

Federal court records do not list an attorney for Butler, who was arrested in California on Sept. 5 on a criminal complaint filed under seal in Pittsburgh.

Butler remains in federal custody in California. It was not immediately clear when he would return to Pittsburgh to face the charges. A detention hearing is scheduled for Monday in San Francisco.

The indictment charges Butler with e-mailing people about buying stolen card numbers and selling them for several hundred dollars per batch.

According to the criminal complaint unsealed Tuesday, one person told investigators he received "tens of thousands of cards" from Butler. In the affidavit, federal agents said Butler used the aliases "Iceman," "Aphex," "Darkest" and "Digits" on his Internet forum, in e-mails with other carders or when hacking into financial institutions.

Witnesses told agents they were present as Butler moved to various hotel rooms where he would use a high-powered antenna to intercept wireless communications. From there he allegedly hacked into financial institutions and credit card processing centers to obtain confidential card information.

One witness told agents that Butler hacked into the Pentagon Federal Credit Union, Citibank and a government employee's computer.

Philbin could not immediately say which kinds of credit card numbers were sold or whether authorities planned to alert cardholders of potential problems.

Microsoft Delays Windows Server 2008

Mark Margevicius, a research director at Gartner, said the delay of Windows Server 2008, codenamed Longhorn, was "not surprising." Microsoft has a "reputation for being late," he said, but added that "there's a lot in Longhorn" and noted that "server software has critical components" that Microsoft has to get right.

On the same day that Microsoft announced that the first service pack for Windows Vista would come out later than some had expected, it also quietly announced that the release of Windows Server 2008 has been pushed back to the first quarter of next year.
The earlier announced target for the release of Windows Server 2008, formerly codenamed Longhorn and first made available in beta in 2005, was the end of this year.

The public announcement of a delay was made on Wednesday in the second paragraph of an entry on the Windows Server Division Weblog.

'More Time to Bake'

The entry, by group product manager Helene Love Snell, noted that the blog is intended to provide "an open and honest dialogue about the development process of a product of this magnitude."

So, Helene continued, "this seems like the best place to let you know that Windows Server 2008, which we have been saying would Release to Manufacturing (RTM) by the end of the calendar year, is now slated to RTM in the first quarter of calendar year 2008."

The reason? Helene wrote that Microsoft is happy with the feedback it's getting from the latest product builds but wants to spend more time to reach the expected "high quality bar."

She quoted a Microsoft program manager as saying that Server 2008 is "like a brisket." It just needs "a little more time to bake."

Launch Event

A launch event for Windows Server 2008, SQL Server 2008, and Visual Studio 2008 has been planned for February 27 in Los Angeles. Assuming Windows Server 2008 is not ready for release by February 27, the other products featured at the event might be delayed.

Snell was quoted by PC World as saying that the anticipated Windows Server Virtualization add-on will have its actual ship date affected, but, as planned, it will still have a beta available for the RTM of Windows Server 2008 and will ship within 180 days of release.

Microsoft officials have reportedly said that scheduled end-of-this-year beta releases of other products based on Longhorn, such as the midsize business server bundle called Centro and the small business server called Cougar, will not be affected.

Mark Margevicius, a research director at Gartner, said the delay was "not surprising." Microsoft has a "reputation for being late," he said, but added that "there's a lot in Longhorn" and noted that "server software has critical components" that the company has to get right.

Microsoft Defends Stealth Windows Updates

Paul Henry, Secure Computing's VP of technology evangelism, said that although Microsoft's stealth updates have not yet created any reported issues, the ramifications could be significant. With no way of turning off Windows Update, he said, the use of a compromised update process could become an attractive vehicle for a would-be hacker.

Microsoft has crossed the line with some Windows users by secretly deploying software through Windows Update -- even to users who had turned off automatic updates. Microsoft has issued an apology, of sorts, but some security experts are still warning that the practice of updating Windows without user consent could lead to dire consequences.

As its name suggests, Windows Update is a service that primarily delivers updates to Windows. To ensure ongoing service reliability and operation, Microsoft must update and enhance the Windows Update service itself, including its client-side software.

However, Microsoft discussion boards this week revealed that Redmond was updating Windows without permission. Specifically, Windows Update has updated nine files in both Windows XP and Windows Vista over the past few weeks, according to reports.

Disaster Waiting To Happen?

Paul Henry, Secure Computing's vice president of technology evangelism, verified the stealth updates on a Windows machine in his own lab. Henry said that what initially struck him as unusual is that Microsoft began the updates without any end-user notification. Beyond this, he said, there are larger security concerns.

"First, with no way of turning off Microsoft updates, it makes the use of a compromised update process a very attractive vehicle for a would-be hacker," he explained. "Second, this also raises concerns for law enforcement." Henry pointed out that a great deal of caution is exercised to maintain stability in certain environments. For example, documented Microsoft installs in computer forensics are necessary to assure that potential evidence isn't compromised.

Henry said that although the Windows process has not yet created any reported issues, the ramifications of Microsoft's stealth updates have the potential to be significant. He said he can easily imagine a patch being automatically deployed that causes things to break and go terribly wrong in a Windows environment.

"Just look what happened to Skype in the last month," he explained. "An update was released by Microsoft that caused so many PCs to reboot and reinitialize simultaneously that it impacted Skype's ability to reconnect its worldwide network."

Microsoft Defends the Updates

For those who want to know why Microsoft updated the files automatically, even if users had not opted for automatically installing updates, Redmond offered an explanation.

"Any user who chooses to use Windows Update either expected updates to be installed or to at least be notified that updates were available. Had we failed to update the service automatically, users would not have been able to successfully check for updates and, in turn, users would not have had updates installed automatically or received expected notifications," said Nate Clinton, program manager for Windows Update, in a statement.

In addition, Clinton said that the result of not updating the files would have caused users to believe that they were secure even though there was no installation or notification of upgrades. To avoid creating such a false impression, he continued, the Windows Update client is configured to check for updates whenever a system uses the service, independent of the selected settings for handling updates.

"The point of this explanation is not to suggest that we were as transparent as we could have been; to the contrary, people have told us that we should have been clearer on how Windows Update behaves when it updates itself," Clinton concluded. "This is helpful and important feedback, and we are now looking at the best way to clarify Windows Update's behavior to customers so that they can more clearly understand how Windows Update works."

Dell and Alienware Offer Samsung 64-GB SSDs

With Dell and Alienware now offering Samsung's 64-GB SSDs for selected notebook PCs, Samir Bhavnani, research director at Current Analysis West, said that at 64-GB capacity, there is enough storage for most business users' applications and documents, but he noted that 64 GB might not be enough capacity for the SSDs to catch on with consumers.

For those awaiting the day when solid state drives (SSDs) are commonplace options on desktops and laptops, the good news is that Samsung announced on Monday it is shipping its 2.5-inch SATA, 64-GB SSDs for Dell and Alienware notebooks. The bad news is that the drives are an expensive option.

They cost $920 when added to a Dell laptop. The 64-GB SSD is available initially on Dell's XPS M1330 ultraportable notebook, and, later this year, on other models in the XPS line, as well as on Latitude corporate notebooks and Dell mobile workstations.

For Alienware, users can choose dual 64-GB SSDs in RAID 1 or RAID 0 configuration, or a 64-GB SSD in combination with a magnetic drive for the Area-51 m9750 high-performance gaming notebook. Prices start over $1,000 for the SSD additions.

Currently, Dell and Alienware both offer the smaller-capacity 32-GB SSD as a less-expensive option.

Customers 'Demanding' More Reliability

Customers are demanding more reliable and durable mobility solutions, which SSDs can offer, said Dell's Tom Pratt in a statement. Industry analysts -- and SSD makers themselves -- have said that the pricey solid state drives are a good solution for road warriors and similar users for whom durability and reliability are worth the added cost.

With no moving parts, solid state drives are silent, generate little heat, and can handle shocks and vibrations more effectively than standard hard drives. Data transfer rates can be faster than hard drives, and booting a large operating system such as Windows Vista can be quick work for SSDs. In addition, SSDs consume less power compared to traditional hard drives, and are quieter and lighter.

Hard drives are still much larger in capacity, and their cost-per-gigabyte is a fraction of what it is for SSDs. But a report from research firm iSuppli has predicted that 60 percent of laptops sold by the end of 2009 will have SSDs, compared to less than one percent in the first quarter of this year.

Dell Has 'Broadest Range'

At 64-GB capacity, said Samir Bhavnani, research director at Current Analysis West, there is enough storage for most business users' applications and documents. Dell is taking a leading position in introducing SSDs, he noted, as it is currently offering "the broadest range of systems with SSD options of any computer maker."

As the largest corporate notebook provider, Dell's SSD options and relatively wide choice of systems could spur more sales among business users, said Bhavnani, who pointed out that SSDs for consumer machines might not have enough capacity to become popular. "It's still not enough capacity for your music and pictures," he noted.

But the steep price difference -- about $15 per GB for SSD and less than $1 per GB for hard drives -- could be worth it for some business users who want the shorter boot times, longer battery life, and added ruggedness, Bhavnani concluded.

Hard Drives Can Survive Fire, Floods

Owners of flood- or fire-damaged PCs typically assume their data is unrecoverable. Not necessarily, computer experts say, noting that at least some data can be recovered from virtually any faulty or damaged storage device. And as the computer industry has grown, so has the number of companies doing that restoration work.

As flood waters filled their basement, Larry and Nancy MacLennan hastily moved their computer to the first floor before evacuating. But the water continued to rise, eventually filling most of the two-story house and submerging the computer for hours.
For the next several days the family worried about the damage to their Minnesota City, Minn., house. When they remembered that the computer held thousands of photos, including some about 70 years old, the MacLennans feared those precious files were lost forever.

But their daughter, 35-year-old Jenna MacLennan, had heard that data-recovery firms now sometimes find data on extremely damaged hard drives. Within days, engineers had recovered all the MacLennans' files.

"We were extremely happy about that," said Jenna MacLennan, an account manager for an electronic-equipment manufacturer. "With the water, the mud, everything, we just didn't know what kind of corrosion or damage might have occurred."

Hard drives typically fail when mechanical parts wear out, but the drives tend to be remarkably resilient to external elements such as flood water, said Richard M. Smith, an Internet security and privacy consultant at Boston Software Forensics.

"If you look at a hard drive, it's hermetically sealed," Smith said. "In most cases water wouldn't get into the drive itself."

Owners of flood- or fire-damaged computers typically assume their digital tax forms, photos and passwords are unrecoverable. Not necessarily, computer experts say, noting that at least some data can be recovered from virtually any faulty or damaged storage device. And as the computer industry has grown, so has the number of companies doing that restoration work.

"We've done data recovery on a laptop that was dropped from a helicopter, on a laptop that had been submerged in the ocean for a year," said Todd Johnson, vice president of operations at Kroll Ontrack Inc., whose engineers helped the MacLennans. "One time there were even bullet holes in the hard drives."

Kroll Ontrack is a division of New York-based Kroll Inc., a risk-consulting company whose technology operations announced second-quarter revenue in August of $141 million.

As a service to victims of last month's floods in Wisconsin, Illinois, Minnesota, Ohio and Oklahoma, Kroll Ontrack is waiving some costs and charging them a flat recovery fee of $850, with 10 percent to be donated to the Red Cross.

The 20-year-old company, based in Eden Prairie, Minn., is one of several offering similar services and prices, including SalvageData Recovery Lab Inc. in Stamford, Conn., and First Advantage Data Recovery Services in Irving, Texas. The companies charge from $400 to $2,500 for a standard recovery, with the price varying depending on several factors including the proportion of data that can be recovered.

Data-recovery companies use proprietary methods to recover data, pulling files into their own environment, where engineers can determine which are salvageable. The recovery process involves digging below the operating system, Johnson said.

Data can be salvaged from Windows-based computers and Apple Inc.'s Macs, and even from fully loaded iPods or cell phones. Engineers then ship the files back on CDs, DVDs or on a new hard drive.

Typical computer users know they should back up their data, Johnson said, but many keep their backup files so close to their computers that secondary files are destroyed at the same time as the computer. He recommends that backups be kept at a distance, perhaps even in a safe-deposit box at a bank.

That experts can recover data from hard drives damaged by water, fire or even a sledgehammer is a mixed blessing. Sometimes a person disposing of an old computer actually wants the hard drive destroyed to thwart would-be hackers looking for private information. So how can one be sure the hard drive is rendered permanently inaccessible?

Some experts suggest running a data-erasing program that repeatedly overwrites information with ones and zeros. Others suggest keeping the hard drive and disposing of the rest of the computer. The most extreme option would be to physically shred the hard drive and dispose of pieces in multiple locations.

As Jenna MacLennan looks at recovered digital photos of her grandmother and grandmother's parents, she says the data recovery was a bright spot in a tragedy that left her parents' home as a roof balanced on stripped two-by-fours.

"When you're able to recover your history, your photographs, there's a sense of gaining back something that's yours," she said. "It's something you can look at as good amongst everything else, that your memories aren't all gone."

IBM Claims New Nanotech Breakthrough

To explain how much storage capacity IBM's new breakthroughs in nanotech might mean somewhere down the line, IBM said that storing data on small clusters or individual atoms could mean that almost 30,000 feature-length movies, or all of the millions of videos on YouTube, could be stored on a device the size of an iPod.

If you already think your fingers are too big for some of today's small electronic devices, you likely won't be happy to know that new discoveries from IBM could make such devices much, much smaller and more powerful.

On Thursday, the Armonk, New York-based company announced what it called "two major scientific breakthroughs." Its researchers took a big step toward figuring out how to get individual atoms to hold a specific magnetic direction, which would allow them to store data. And they got closer to developing a logic switch between molecules, and even between individual atoms inside a molecule, which could lead to molecular or submolecular processors.

The research, detailed in two reports in the journal Science, does not mean that we'll soon be seeing a supercomputer the size of a grain of sand. But the research does take several important steps in that direction.

All YouTube Videos on an iPod

The work toward getting a single atom to store data involves measuring a property called magnetic anisotropy, which is how well an atom can maintain a specific orientation, representing the one or zero used in digital storage. The company said that, before the new breakthrough, no one had been able to successfully measure the magnetic anisotropy of individual atoms.

To understand how much storage capacity that could mean, it would be best if you were sitting down. IBM said that storing data on small clusters or individual atoms could mean that almost 30,000 feature-length movies, or all of the millions of videos on YouTube, could be stored on a device the size of an iPod.

"We are now one step closer to figuring out how to store data at the atomic level," said Gian-Luca Bona, an IBM manager of science and technology.

Speck of Dust

In addition to highlighting the storage breakthroughs, the researchers pointed the way to enormous processing power in extremely small sizes by developing a single-molecule switch that "can operate flawlessly without disrupting the molecule's outer frame."

Keeping the outer molecule intact is a critical advance of the new research. Among other things, it enabled researchers to use atoms inside one molecule to switch atoms in another, nearby molecule -- a basic logic switch. Earlier research at IBM and other labs has been able to switch inside single molecules, but it always changed their shape -- something you don't want to do if you're building logic gates or memory elements.

If single-atom storage didn't take your breath away, consider submolecular switches as the basis for logic gates and electrical circuits. IBM said some researchers speculate that such miniaturization could mean computer chips as small as a speck of dust.

While shopping for the fastest new piece of dust on the market is still some years away, researchers are moving on to the next step for the switches -- building a circuit, and then figuring out how to create a chip.